The RTJ Bridge - The Research Platform Created by the Publishers of The RiskTech Journal
The RTJ Bridge is an independent research platform delivering institutional-grade IRM market intelligence, vendor competitive assessments, and strategic risk technology analysis. Built by the analyst who created the Integrated Risk Management category at Gartner, The RTJ Bridge gives risk leaders, technology executives, and solution providers the same caliber of competitive intelligence that major analyst firms charge $25,000 to $50,000+ per year to access.
Subscribers to The RTJ Bridge receive full access to:
IRM50 OnWatch Vendor Assessments — Competitive analysis of leading IRM vendors as market events unfold, covering platform strategy shifts, M&A impact, earnings signals, and positioning changes.
Autonomous IRM and AI Governance Research — Original research on how agentic AI is reshaping risk management operating models, from production deployment patterns to the structural implications for vendor platforms and enterprise programs.
Analyst Firm and Market Critiques — Independent assessments of research from Gartner, Forrester, and other major analyst firms, viewed through the IRM Navigator Model to identify gaps, validate signals, and challenge conventional positioning.
Board Governance and Audit Committee Intelligence — Research on oversight effectiveness, emerging risk response gaps, audit committee workload challenges, and the disconnect between risk reporting and executive action.
M&A and Strategic Alliance Analysis — Same-week analysis of acquisitions, partnerships, and PE investment moves reshaping the IRM competitive landscape, with implications for buyers, vendors, and investors.
Regulatory, ESG, and Sustainability Risk — Research on how evolving regulatory frameworks (SEC cyber disclosure, EU CSRD/CSDDD, AI regulation) affect enterprise risk programs and technology requirements.
IRM Navigator™ Market Intelligence — Strategic previews and deep dives from the IRM Navigator Model, the only independent model built specifically to evaluate integrated risk management maturity and vendor alignment.
Cyber Risk, Insurance, and Third-Party Risk — Analysis of cyber risk quantification, insurance market dynamics, and the convergence of third-party risk management into enterprise IRM programs.
Subscribe to get access now
The RTJ Bridge is an independent IRM research platform published by Wheelhouse Advisors. Subscribers receive ongoing access to vendor competitive assessments, AI disruption analysis, M&A and partnership impact research, and IRM Navigator™ market intelligence. This is the only research platform built and led by the analyst who created the Integrated Risk Management category, a market now valued at over $61 billion and projected to reach $133 billion by 2031.
Agentic AI Moves From Hype to Operating Model: What Risk Leaders Must Do Now
EY’s newest global insight, “What Risk Leaders Need to Do Now About Agentic AI,” sets a clear challenge: organizations that treat agentic AI as another productivity initiative risk amplifying exposure, not mitigating it. The report argues that risk functions must now move beyond experimentation and build an enterprise operating model where autonomous and semi-autonomous agents can act safely, transparently, and in alignment with strategy.
This message reinforces a structural shift already underway in Integrated Risk Management (IRM). Wheelhouse Advisors’ Autonomous IRM model defines how these agentic systems should operate—not as isolated bots or chat interfaces, but as integrated decision engines that connect strategic intent, operational execution, and assurance validation.
Workiva’s Q3 2025 Results Signal the Rise of “Assured Data Platforms” in the IRM Market
Workiva’s Q3 2025 results represent more than a financial beat—they reveal a strategic inflection point for the Integrated Risk Management (IRM) market. The company delivered total revenue of $224 million, up 21% year over year, with subscription and support revenue growing 23%. Its non-GAAP operating margin expanded to 12.7%, nearly tripling from the prior year. Just as significant, customers with annual contract value (ACV) above $500,000 rose 42%, confirming enterprise-scale adoption of Workiva’s unified disclosure and assurance platform.
This growth underscores a broader market movement toward “assured data platforms”—solutions that unify financial, sustainability, and risk reporting within one governed architecture. As ESG regulation, audit digitization, and AI assurance converge, Workiva’s performance signals what IRM leaders should expect across the next phase of market maturity.
ServiceNow Q3 2025 Through an IRM Market Lens
ServiceNow’s Q3 2025 performance is a clear demand signal for platform-centric Integrated Risk Management. The company reported subscription revenue of 3.299 billion dollars, up 21.5 percent year over year, with strong large-deal activity and a raised full-year subscription outlook. These results, combined with the AI Control Tower launch and continued Now Assist upgrades, indicate that buyers are consolidating GRC, technology risk, and assurance workflows on a single operating platform that can also govern AI models, agents, and evidence. This is an accelerant for IRM programs that seek unified taxonomies, end-to-end traceability, and continuous control monitoring across ERM, ORM, TRM, and compliance functions.
Reinventing Risk Management Through Integrated Risk, A PwC and OneTrust Perspective
PwC and OneTrust have published a concise eBook that advocates for a unified, digital operating model for risk, and positions their alliance to deliver it. The document highlights pressure on risk and compliance teams, presents recent PwC survey signals on funding and prioritization gaps, and outlines an “IRM ecosystem mindset” anchored in OneTrust’s modular platform and PwC’s implementation services.
IRM50 OnWatch: Acquisitions and Partnerships Signal Further Movement Away from Stand-alone GRC to Unified IRM
This past week, the IRM market took a decisive step toward operationalizing AI oversight at scale. AuditBoard moved first with a definitive agreement to acquire FairNow, a purpose-built AI governance platform, and expanded its alliance with EY US to pair platform capabilities with consulting delivery. In parallel, boardroom and sustainability workflows tightened through a new Diligent–Persefoni partnership, and specialized compliance players announced alliances that round out the IRM ecosystem. The signal is clear: buyer demand is shifting from point capabilities to unified operating models that align platforms, data, and services across Performance, Resilience, Assurance, and Compliance.
Agentic Operational Risk: How AI Is Reshaping Control, Performance, and Resilience
Operational risk management is evolving from reactive oversight to intelligent orchestration. Agentic AI, systems that can plan, tool, and act with bounded autonomy, is at the center of this shift. These agents compress cycle times, expand control coverage, and deliver evidence with audit grade traceability. Within the IRM Navigator™ Model, they strengthen the connection between Performance and Resilience, the two objectives where ORM delivers the most tangible value.
EY’s Boomi Alliance Accelerates IRM+ into the Autonomous IRM Era
EY’s new alliance makes Boomi the preferred way to connect the many systems IRM+ depends on, move and manage the data they generate, and orchestrate AI (including AI agents) around IRM+ workflows. IRM+ itself continues to be anchored on ServiceNow for risk workflows; Boomi primarily strengthens the integration, data, and AI layers around it.
Bridging the Divide: How ServiceNow’s AI Experience Could Unify TRM and IRM
ServiceNow’s latest innovation, AI Experience, introduces a unified conversational interface that could redefine how organizations manage risk. Far from being another “AI assistant,” this platform-level integration embeds natural language and multimodal intelligence across workflows, connecting Technology Risk Management (TRM) with Integrated Risk Management (IRM) in ways that make risk management feel less like a process and more like a conversation. This commentary explores how AI Experience extends ServiceNow’s TRM and IRM capabilities, why it represents a major shift toward unified risk intelligence, and how it aligns with the Performance, Resilience, Assurance, and Compliance (PRAC) objectives of the IRM Navigator™ Model.
Aon GRMS Survey 2025: Integrated Risk Management Moves From Slogan to System
Aon’s 2025 Global Risk Management Survey frames the environment as a system of overlapping risks that cannot be managed effectively in silos. The “Top 10 Global Risks” chapter states that organizations that adopt a proactive, integrated approach can turn complexity into opportunity. This aligns directly with the IRM Navigator™Model and its PRAC objectives, Performance, Resilience, Assurance, and Compliance, operated as one cadence rather than separate projects.
The Exponential Ripple: How JLR’s Cyber Incident Exposed the Interconnected Matrix of Risk, and How PRAC Stops the Spread
A month after Jaguar Land Rover’s cyber incident, the story is no longer only about one company’s outage. It is about the exponential ripple that travels through a tightly coupled production and supplier network, then into finance, regulation, and public policy. The United Kingdom moved to stabilize the sector with a £1.5 billion loan guarantee through UK Export Finance, a partial backstop intended to unlock working capital from commercial banks and push liquidity down the supply chain. Reporting also confirms that JLR had no cyber insurance at the time of the attack, and that recovery will take months rather than days, with additional bank facilities arranged alongside the guarantee.
Signals from Emerging IRM Players: Week 41 includes AI for evidence, CMMC conformance, and TPRM intake
Activity among non-IRM50 vendors clustered around three themes. First, AI is being attached to concrete, auditable jobs such as cyber compliance documentation and procurement intake, where outcome claims are easiest to verify. Second, regulated-supplier conformance remained a priority, with releases framed around CMMC and FIPS requirements. Third, niche consolidation advanced in regulated reporting and AML, evidenced by a targeted acquisition. For buyers, the takeaway is to pilot for outcomes not features, demand exportable evidence, and ensure data lineage into your IRM system of record.
ServiceNow announces “AI Experience” as a front end for agentic workflows
ServiceNow announced AI Experience, a conversational interface that sits across Now Platform workflows. The company describes five elements: AI Lens for screen-aware actions, AI Voice Agents, AI Web Agents, AI Data Explorer, and an AI-governance layer via AI Control Tower. ServiceNow says AI Lens is available now. Voice Agents, Web Agents, and Data Explorer are targeted for availability by the end of 2025.
IRM50 OnWatch: Signals Include Governance Pressure, AI Adoption Proof Points, and Human-in-the-loop Design
Governance risk moved to the foreground as an activist investor disclosed a roughly 2 percent stake in Workiva and called for board and capital allocation changes. AI adoption signals remained strong, anchored by a visible at-scale activation of watsonx with ESPN and a sell-side upgrade that reframed ServiceNow’s near-term AI execution. Product direction indicators surfaced at Archer with Evolv portfolio additions and an explicit human-in-the-loop design stance, while OneTrust reported dated momentum markers that should be treated as viability signals pending customer corroboration.
IRM50 OnWatch: Signals Include Embedded AI Controls with ServiceNow, IBM and Hyperproof
AI moves from pilots to embedded controls. ServiceNow, IBM, and Hyperproof advanced AI features that directly support evidence collection, model governance, and remediation, signaling a shift from productivity to verifiable compliance outcomes.
Third-party risk converges into unified stacks. SecurityScorecard’s acquisition of HyperComply combines questionnaire automation with ratings, showing buyers should expect integrated TPRM platforms over the next two to three quarters.
Resilience, ESG, and privacy institutionalize further. Everbridge, Workiva, EcoOnline, and OneTrust reinforced ESG disclosure, personal safety integration, and AI governance, aligning risk practices with board-level assurance expectations.
Identity threats remain systemic. Microsoft, Cloudflare, and law enforcement dismantled a phishing-as-a-service network targeting Microsoft 365, underscoring identity proofing and MFA as structural controls in IRM workflows.
Provision 29 and the Trust Deficit: How UK Boards Can Convert a High-Stakes Declaration into Credible Assurance
Provision 29 of the UK Corporate Governance Code 2024 requires boards to monitor and review the company’s risk management and internal control framework, then state in the annual report how that review was performed, declare whether the company’s material controls were effective at the balance sheet date, and describe any material controls that were not effective and the remediation taken or planned. The Provision applies for financial years beginning on or after 1 January 2026 and covers material controls across financial, operational, reporting and compliance domains. There is no mandatory external assurance, and the requirement operates on a comply or explain basis.
The EU’s AI Code of Practice: Compliance, Operating Implications, and the Role of Integrated Risk Management
The EU AI Act entered into force on 1 August 2024 and will be fully applicable on 2 August 2026, with key provisions already active. Prohibitions and AI literacy duties have applied since 2 February 2025. Obligations for providers of general purpose AI, including transparency and copyright requirements, began on 2 August 2025. A voluntary General Purpose AI Code of Practice published on 10 July 2025 operationalizes how model providers can demonstrate compliance until harmonized standards arrive. The European Commission also issued guidelines clarifying scope and a mandatory template for the public summary of training content. Enforcement by the Commission for general purpose obligations begins in 2026, and models placed on the market before 2 August 2025 have until 2 August 2027 to comply. Maximum fines can reach 35 million euros or 7 percent of worldwide turnover for certain violations.
The Strategic Blind Spot: Closing the Boardroom Gap in AI Risk Oversight
Our recent research on audit committees revealed a stark reality: boards are most concerned about oversight gaps in cybersecurity, privacy, and AI, yet few have the structures to address them effectively. The 2025 Audit Committee Survey Insights showed that nearly half of audit committees see AI oversight as an unresolved gap, while only a fraction claim primary responsibility. The conclusion was clear—AI has moved into the boardroom agenda, but governance has not caught up.
This companion note builds directly on that finding. Where the audit committee analysis highlighted AI as part of a broader oversight deficit, here we focus on AI risk oversight itself. Drawing on new data from Infosys’s global survey of 1,500 executives, we examine why AI oversight remains fragmented, how the gap manifests in practice, and what boards and senior executives must do to close it.
Technology Risk at Machine Speed: Why Integrated Systems Demand Integrated Risk Management
Jaguar Land Rover’s cyber incident shows how modern enterprises operate inside an interconnected matrix of risk. Technology assets and operational processes are closely linked, so a disruption in one tier quickly spreads across production sites, suppliers, dealers, and customers.
On September 2, 2025, JLR confirmed a cyber intrusion and proactively shut systems to contain the impact. By September 6, production was halted in the United Kingdom, Slovakia, Brazil, and India. West Midlands suppliers sent thousands of staff home. Dealer platforms, including the electronic parts catalogue, were inaccessible. Analysts estimate losses of £5 million per day, and insiders indicate recovery will take weeks rather than days. A group calling itself Scattered Lapsus$ Hunters claimed responsibility.
Audit Committees Signal a Mandate for Unified IRM, Not Just GRC
Audit committees in 2025 are under growing pressure to oversee risks that are more complex, interconnected, and fast-moving than ever before. KPMG’s survey of 85 U.S. audit committee members (February–May 2025) highlights systemic oversight gaps in cybersecurity, privacy, AI, and third-party resilience. While only one-quarter of respondents describe their risk management as holistic and forward looking, the survey reveals that committees are struggling less with awareness and more with execution. The IRM Navigator™ Maturity Curve confirms that most organizations remain in the early to mid stages of maturity. However, the five functional layers of Autonomous IRM offer a more practical blueprint for closing these oversight gaps and absorbing workload without restructuring committees.
This research note interprets the KPMG findings through the lens of both frameworks: the Maturity Curve, which shows where audit committees are today, and the five functional layers, which define how they can progress toward unified, assurance-driven oversight.
Agentic AI in Risk Management Consulting: A Field Report on the Road to Autonomous IRM
This field report builds on the IRM Navigator™ Vendor Compass for RMC (July 2025). While the Vendor Compass positioned consulting firms in terms of integration breadth and AI enablement, this follow-on examines how those claims are translating into field activity. It reflects a moment in time: as platforms mature and deployments expand, these placements will continue to evolve.